Greetings! Welcome to the ninth lesson of the course . On we examined the main mechanisms for controlling user access to various resources. Now we have another task before us - it is necessary to analyze the behavior of users on the network, as well as set up the receipt of data that can help in the investigation of various security incidents. Therefore, in this lesson we will consider the logging and reporting mechanism. To do this, we will need FortiAnalyzer, which we deployed at the beginning of the course. The necessary theory, as well as a video lesson, are available under the cut.
In FotiGate, logs are divided into three types: traffic logs, event logs, and security logs. They, in turn, are divided into subtypes.
Traffic logs record information about traffic flow, such as requests and responses, if any. This type contains the subtypes Forward, Local, and Sniffer.
The Forward subtype contains information about traffic that FortiGate either accepted or rejected according to firewall policies.
The Local subtype contains information about traffic directly from the FortiGate IP address and from IP addresses from which administration is performed. For example, connections to the FortiGate web interface.
The Sniffer subtype contains traffic logs that were received using traffic mirroring.
Event logs contain system or administrative events, such as adding or changing parameters, establishing and breaking VPN tunnels, dynamic routing events, and so on. All subtypes are shown in the figure below.
And the third type is security logs. These logs record events related to virus attacks, visits to prohibited resources, use of prohibited applications, and so on. A complete list is also shown in the figure below.
You can store logs in different places - both on FortiGate itself and outside it. Storing logs on FortiGate is considered local logging. Depending on the device itself, logs can be stored either in the device's flash memory or on the hard drive. As a rule, models from middle have a hard drive. Models with a hard drive are quite easy to distinguish - there is a unit at the end. For example - FortiGate 100E comes without a hard drive, and FortiGate 101E comes with a hard drive.
The younger and older models usually do not have a hard drive. In this case, flash memory is used to write logs. However, keep in mind that constantly writing logs to flash memory can reduce its efficiency and service life. Therefore, logging to flash memory is disabled by default. It is recommended to enable it only for logging events while solving specific problems.
With intensive logging, it does not matter whether it is to a hard disk or flash memory, the performance of the device will decrease.
It is quite common to store logs on remote servers. FortiGate can store logs on Syslog servers, on FortiAnalyzer or FortiManager. You can also use the FortiCloud cloud service to store logs.
Syslog is a server for central storage of logs from network devices.
FortiCloud is a subscription-based security management and storage service. With its help, you can store logs remotely and build relevant reports. If you have a rather small network, using this cloud service may be a good solution, rather than buying additional equipment. There is a free version of FortiCloud, which includes weekly storage of logs. After purchasing a subscription, logs can be stored for a year.
FortiAnalyzer and FortiManager are external log storage devices. Due to the fact that they all have the same operating system - FortiOS - integrating FortiGate with these devices does not present any difficulties.
But the differences between the FortiAnalyzer and FortiManager devices should be noted. The main goal of FortiManager is the centralized management of several FortiGate devices - therefore, the amount of memory for storing logs on FortiManager is significantly less than on FortiAnalyzer (unless, of course, we compare models from the same price segment).
The main purpose of FortiAnalyzer is to collect and analyze logs. Therefore, it is the work with him that we will further consider in practice.
The whole theory, as well as the practical part, are presented in this video lesson:
In the next lesson, we will cover the main points related to the administration of the FortiGate device. In order not to miss it, stay tuned for updates on the following channels:
Source: habr.com